Hugging Face's logo

Spaces:
capta1n
/
bas2
Running

App Files Community
capta1n commited on
Commit
c6ddf8a
·
verified ·
1 Parent(s): f4d37ea

Add 3 files

Browse files
Files changed (3) hide show
  1. README.md +7 -5
  2. index.html +567 -19
  3. prompts.txt +5 -0
README.md CHANGED
@@ -1,10 +1,12 @@
1
  ---
2
- title: Bas2
3
- emoji: 🚀
4
- colorFrom: indigo
5
- colorTo: green
6
  sdk: static
7
  pinned: false
 
 
8
  ---
9
 
10
- Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
 
1
  ---
2
+ title: bas2
3
+ emoji: 🐳
4
+ colorFrom: pink
5
+ colorTo: gray
6
  sdk: static
7
  pinned: false
8
+ tags:
9
+ - deepsite
10
  ---
11
 
12
+ Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
index.html CHANGED
@@ -1,19 +1,567 @@
1
- <!doctype html>
2
- <html>
3
- <head>
4
- <meta charset="utf-8" />
5
- <meta name="viewport" content="width=device-width" />
6
- <title>My static Space</title>
7
- <link rel="stylesheet" href="style.css" />
8
- </head>
9
- <body>
10
- <div class="card">
11
- <h1>Welcome to your static Space!</h1>
12
- <p>You can modify this app directly by editing <i>index.html</i> in the Files and versions tab.</p>
13
- <p>
14
- Also don't forget to check the
15
- <a href="https://huggingface.co/docs/hub/spaces" target="_blank">Spaces documentation</a>.
16
- </p>
17
- </div>
18
- </body>
19
- </html>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <!DOCTYPE html>
2
+ <html lang="en">
3
+ <head>
4
+ <meta charset="UTF-8">
5
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
6
+ <title>Phishing Attack Kill Chain Visualization</title>
7
+ <script src="https://cdn.tailwindcss.com"></script>
8
+ <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
9
+ <style>
10
+ .attack-node {
11
+ transition: all 0.3s ease;
12
+ cursor: pointer;
13
+ z-index: 2;
14
+ position: absolute;
15
+ }
16
+ .attack-node:hover {
17
+ transform: scale(1.05);
18
+ box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.2);
19
+ }
20
+ .critical {
21
+ border: 2px solid #ef4444;
22
+ animation: pulse 2s infinite;
23
+ }
24
+ @keyframes pulse {
25
+ 0% { box-shadow: 0 0 0 0 rgba(239, 68, 68, 0.7); }
26
+ 70% { box-shadow: 0 0 0 10px rgba(239, 68, 68, 0); }
27
+ 100% { box-shadow: 0 0 0 0 rgba(239, 68, 68, 0); }
28
+ }
29
+ .data-flow {
30
+ stroke-dasharray: 5;
31
+ animation: dash 30s linear infinite;
32
+ }
33
+ @keyframes dash {
34
+ to {
35
+ stroke-dashoffset: -1000;
36
+ }
37
+ }
38
+ .sidebar {
39
+ transition: all 0.3s ease;
40
+ transform: translateX(100%);
41
+ }
42
+ .sidebar.open {
43
+ transform: translateX(0);
44
+ }
45
+ .zoom-container {
46
+ transition: transform 0.2s ease;
47
+ }
48
+ .attack-flow {
49
+ position: relative;
50
+ height: 600px;
51
+ width: 100%;
52
+ overflow: hidden;
53
+ }
54
+ .alert-item {
55
+ border-left: 3px solid;
56
+ transition: all 0.2s;
57
+ }
58
+ .alert-item:hover {
59
+ transform: translateX(3px);
60
+ }
61
+ .node-icon {
62
+ width: 30px;
63
+ height: 30px;
64
+ display: flex;
65
+ align-items: center;
66
+ justify-content: center;
67
+ border-radius: 50%;
68
+ margin-bottom: 4px;
69
+ }
70
+ .sequence-number {
71
+ position: absolute;
72
+ top: -12px;
73
+ left: 50%;
74
+ transform: translateX(-50%);
75
+ background-color: #3b82f6;
76
+ color: white;
77
+ width: 24px;
78
+ height: 24px;
79
+ border-radius: 50%;
80
+ display: flex;
81
+ align-items: center;
82
+ justify-content: center;
83
+ font-size: 12px;
84
+ font-weight: bold;
85
+ }
86
+ </style>
87
+ </head>
88
+ <body class="bg-gray-100">
89
+ <div class="container mx-auto px-4 py-8">
90
+ <h1 class="text-3xl font-bold text-center text-gray-800 mb-2">Phishing Attack Kill Chain Visualization</h1>
91
+ <p class="text-center text-gray-600 mb-8">Sequential attack flow from initial compromise to data exfiltration</p>
92
+
93
+ <!-- Zoom Controls -->
94
+ <div class="flex justify-center mb-4 space-x-2">
95
+ <button id="zoom-in" class="px-3 py-1 bg-white rounded-md shadow hover:bg-gray-100">
96
+ <i class="fas fa-search-plus"></i> Zoom In
97
+ </button>
98
+ <button id="zoom-out" class="px-3 py-1 bg-white rounded-md shadow hover:bg-gray-100">
99
+ <i class="fas fa-search-minus"></i> Zoom Out
100
+ </button>
101
+ <button id="zoom-reset" class="px-3 py-1 bg-white rounded-md shadow hover:bg-gray-100">
102
+ <i class="fas fa-expand"></i> Reset
103
+ </button>
104
+ </div>
105
+
106
+ <!-- Main Visualization Container -->
107
+ <div class="relative bg-white rounded-xl shadow-lg p-6 overflow-hidden border border-gray-200">
108
+ <!-- Zoomable Container -->
109
+ <div id="zoom-container" class="zoom-container origin-center">
110
+ <!-- Background Grid -->
111
+ <div class="absolute inset-0 opacity-20">
112
+ <svg width="100%" height="100%" xmlns="http://www.w3.org/2000/svg">
113
+ <defs>
114
+ <pattern id="grid" width="80" height="80" patternUnits="userSpaceOnUse">
115
+ <path d="M 80 0 L 0 0 0 80" fill="none" stroke="gray" stroke-width="0.5"/>
116
+ </pattern>
117
+ </defs>
118
+ <rect width="100%" height="100%" fill="url(#grid)" />
119
+ </svg>
120
+ </div>
121
+
122
+ <!-- Attack Flow Container -->
123
+ <div class="attack-flow">
124
+ <!-- Attack Flow SVG -->
125
+ <svg class="absolute inset-0 w-full h-full" id="attack-flow"></svg>
126
+
127
+ <!-- Attack Nodes - Sequential Layout -->
128
+ <div id="attacker" class="attack-node bg-red-50 p-3 rounded-lg shadow-sm border-2 border-red-300 w-[140px] text-center" style="left: 5%; top: 50%;">
129
+ <div class="node-icon bg-red-100">
130
+ <i class="fas fa-user-secret text-red-600 text-lg"></i>
131
+ </div>
132
+ <h3 class="font-bold text-red-800 text-sm">Attacker</h3>
133
+ <p class="text-xs text-red-600 mt-1">C2: 185.143.223.47</p>
134
+ </div>
135
+
136
+ <!-- Step 1: Phishing Email -->
137
+ <div id="step1" class="attack-node bg-blue-50 p-3 rounded-lg shadow-sm border-2 border-blue-300 w-[140px] text-center" style="left: 20%; top: 20%;">
138
+ <div class="sequence-number">1</div>
139
+ <div class="node-icon bg-blue-100">
140
+ <i class="fas fa-envelope text-blue-600 text-lg"></i>
141
+ </div>
142
+ <h3 class="font-bold text-blue-800 text-sm">Phishing Email</h3>
143
+ <p class="text-xs text-blue-600 mt-1">"拥抱AI变革"通知</p>
144
+ </div>
145
+
146
+ <!-- Step 2: Malware Execution -->
147
+ <div id="step2" class="attack-node bg-red-50 p-3 rounded-lg shadow-sm border-2 border-red-300 w-[140px] text-center" style="left: 35%; top: 35%;">
148
+ <div class="sequence-number">2</div>
149
+ <div class="node-icon bg-red-100">
150
+ <i class="fas fa-bug text-red-600 text-lg"></i>
151
+ </div>
152
+ <h3 class="font-bold text-red-800 text-sm">Malware Execution</h3>
153
+ <p class="text-xs text-red-600 mt-1">Cobalt Strike DLL</p>
154
+ </div>
155
+
156
+ <!-- Step 3: C2 Communication -->
157
+ <div id="step3" class="attack-node bg-purple-50 p-3 rounded-lg shadow-sm border-2 border-purple-300 w-[140px] text-center" style="left: 50%; top: 20%;">
158
+ <div class="sequence-number">3</div>
159
+ <div class="node-icon bg-purple-100">
160
+ <i class="fas fa-network-wired text-purple-600 text-lg"></i>
161
+ </div>
162
+ <h3 class="font-bold text-purple-800 text-sm">C2 Channel</h3>
163
+ <p class="text-xs text-purple-600 mt-1">api.cloudfront[.]com</p>
164
+ </div>
165
+
166
+ <!-- Step 4: Credential Theft -->
167
+ <div id="step4" class="attack-node bg-yellow-50 p-3 rounded-lg shadow-sm border-2 border-yellow-300 w-[140px] text-center" style="left: 65%; top: 35%;">
168
+ <div class="sequence-number">4</div>
169
+ <div class="node-icon bg-yellow-100">
170
+ <i class="fas fa-key text-yellow-600 text-lg"></i>
171
+ </div>
172
+ <h3 class="font-bold text-yellow-800 text-sm">Credential Theft</h3>
173
+ <p class="text-xs text-yellow-600 mt-1">Mimikatz + Chrome</p>
174
+ </div>
175
+
176
+ <!-- Step 5: Cloud Docs Penetration -->
177
+ <div id="step5" class="attack-node bg-green-50 p-3 rounded-lg shadow-sm border-2 border-green-300 w-[140px] text-center" style="left: 80%; top: 20%;">
178
+ <div class="sequence-number">5</div>
179
+ <div class="node-icon bg-green-100">
180
+ <i class="fas fa-cloud text-green-600 text-lg"></i>
181
+ </div>
182
+ <h3 class="font-bold text-green-800 text-sm">Cloud Docs Access</h3>
183
+ <p class="text-xs text-green-600 mt-1">语雀API Token</p>
184
+ </div>
185
+
186
+ <!-- Step 6: Production Intrusion -->
187
+ <div id="step6" class="attack-node bg-indigo-50 p-3 rounded-lg shadow-sm border-2 border-indigo-300 w-[140px] text-center" style="left: 35%; top: 65%;">
188
+ <div class="sequence-number">6</div>
189
+ <div class="node-icon bg-indigo-100">
190
+ <i class="fas fa-server text-indigo-600 text-lg"></i>
191
+ </div>
192
+ <h3 class="font-bold text-indigo-800 text-sm">DB Server Access</h3>
193
+ <p class="text-xs text-indigo-600 mt-1">10.8.8.88</p>
194
+ </div>
195
+
196
+ <!-- Step 7: Data Exfiltration -->
197
+ <div id="step7" class="attack-node bg-pink-50 p-3 rounded-lg shadow-sm border-2 border-pink-300 w-[140px] text-center" style="left: 50%; top: 80%;">
198
+ <div class="sequence-number">7</div>
199
+ <div class="node-icon bg-pink-100">
200
+ <i class="fas fa-file-export text-pink-600 text-lg"></i>
201
+ </div>
202
+ <h3 class="font-bold text-pink-800 text-sm">Data Exfiltration</h3>
203
+ <p class="text-xs text-pink-600 mt-1">DNS隧道传输</p>
204
+ </div>
205
+
206
+ <!-- Final C2 Connection -->
207
+ <div id="final-c2" class="attack-node bg-red-50 p-3 rounded-lg shadow-sm border-2 border-red-300 w-[140px] text-center" style="left: 80%; top: 65%;">
208
+ <div class="node-icon bg-red-100">
209
+ <i class="fas fa-exchange-alt text-red-600 text-lg"></i>
210
+ </div>
211
+ <h3 class="font-bold text-red-800 text-sm">C2 Connection</h3>
212
+ <p class="text-xs text-red-600 mt-1">Data Exfil Complete</p>
213
+ </div>
214
+ </div>
215
+ </div>
216
+
217
+ <!-- Sidebar for Attack Details -->
218
+ <div id="attack-sidebar" class="sidebar absolute top-0 right-0 w-96 h-full bg-white shadow-lg p-6 overflow-y-auto">
219
+ <button id="close-sidebar" class="absolute top-4 left-4 text-gray-500 hover:text-gray-700">
220
+ <i class="fas fa-times"></i>
221
+ </button>
222
+ <div id="attack-details">
223
+ <h2 class="text-xl font-bold text-gray-800 mb-4" id="step-title">Attack Step Details</h2>
224
+ <div class="mb-6">
225
+ <h3 class="font-medium text-gray-700 mb-2">Attack Behavior</h3>
226
+ <div class="bg-gray-50 p-4 rounded-md" id="step-behavior">
227
+ <p class="text-sm text-gray-600">Select an attack node to view details</p>
228
+ </div>
229
+ </div>
230
+ <div class="mb-6">
231
+ <h3 class="font-medium text-gray-700 mb-2">Triggered Security Products</h3>
232
+ <div class="bg-gray-50 p-4 rounded-md" id="step-products">
233
+ <p class="text-sm text-gray-600">No product selected</p>
234
+ </div>
235
+ </div>
236
+ <div>
237
+ <h3 class="font-medium text-gray-700 mb-2">Alert Information</h3>
238
+ <div class="bg-gray-50 p-4 rounded-md" id="step-alerts">
239
+ <p class="text-sm text-gray-600">No alerts to display</p>
240
+ </div>
241
+ </div>
242
+ </div>
243
+ </div>
244
+ </div>
245
+
246
+ <!-- Attack Timeline with Alerts -->
247
+ <div class="mt-8 bg-white rounded-lg shadow-md p-6">
248
+ <h2 class="text-xl font-bold text-gray-800 mb-4">Attack Timeline & Security Alerts</h2>
249
+ <div class="space-y-4">
250
+ <!-- Step 1 Alert -->
251
+ <div class="alert-item bg-blue-50 border-blue-500 p-4 rounded cursor-pointer" data-step="1">
252
+ <div class="flex items-start">
253
+ <div class="bg-blue-500 text-white p-2 rounded-full mr-3">
254
+ <i class="fas fa-envelope text-sm"></i>
255
+ </div>
256
+ <div class="flex-1">
257
+ <div class="flex justify-between items-start">
258
+ <h3 class="font-medium text-blue-800">Phishing Email Detected</h3>
259
+ <span class="bg-blue-100 text-blue-800 text-xs px-2 py-1 rounded">邮件安全网关</span>
260
+ </div>
261
+ <p class="text-sm text-gray-600 mt-1">[严重] 检测到仿冒发件人邮件 | 发件人: itsupport@fakecompany[.]com → 目标: victim@corp.com</p>
262
+ </div>
263
+ </div>
264
+ </div>
265
+
266
+ <!-- Step 2 Alert -->
267
+ <div class="alert-item bg-red-50 border-red-500 p-4 rounded cursor-pointer" data-step="2">
268
+ <div class="flex items-start">
269
+ <div class="bg-red-500 text-white p-2 rounded-full mr-3">
270
+ <i class="fas fa-bug text-sm"></i>
271
+ </div>
272
+ <div class="flex-1">
273
+ <div class="flex justify-between items-start">
274
+ <h3 class="font-medium text-red-800">Malicious Process Injection</h3>
275
+ <span class="bg-red-100 text-red-800 text-xs px-2 py-1 rounded">终端检测与响应 (EDR)</span>
276
+ </div>
277
+ <p class="text-sm text-gray-600 mt-1">[高危] 可疑进程注入行��� | 进程: C:\Windows\System32\explorer.exe → 加载内存模块: a09xdf.dll</p>
278
+ </div>
279
+ </div>
280
+ </div>
281
+
282
+ <!-- Step 3 Alert -->
283
+ <div class="alert-item bg-purple-50 border-purple-500 p-4 rounded cursor-pointer" data-step="3">
284
+ <div class="flex items-start">
285
+ <div class="bg-purple-500 text-white p-2 rounded-full mr-3">
286
+ <i class="fas fa-network-wired text-sm"></i>
287
+ </div>
288
+ <div class="flex-1">
289
+ <div class="flex justify-between items-start">
290
+ <h3 class="font-medium text-purple-800">Suspicious C2 Communication</h3>
291
+ <span class="bg-purple-100 text-purple-800 text-xs px-2 py-1 rounded">网络流量分析 (NTA)</span>
292
+ </div>
293
+ <p class="text-sm text-gray-600 mt-1">[紧急] 异常外联行为 | 目标IP: 54.231.1.1(归属AWS新加坡) | 协议: HTTPS</p>
294
+ </div>
295
+ </div>
296
+ </div>
297
+
298
+ <!-- Step 4 Alert -->
299
+ <div class="alert-item bg-yellow-50 border-yellow-500 p-4 rounded cursor-pointer" data-step="4">
300
+ <div class="flex items-start">
301
+ <div class="bg-yellow-500 text-white p-2 rounded-full mr-3">
302
+ <i class="fas fa-key text-sm"></i>
303
+ </div>
304
+ <div class="flex-1">
305
+ <div class="flex justify-between items-start">
306
+ <h3 class="font-medium text-yellow-800">Credential Theft Detected</h3>
307
+ <span class="bg-yellow-100 text-yellow-800 text-xs px-2 py-1 rounded">身份认证异常检测 (UEBA)</span>
308
+ </div>
309
+ <p class="text-sm text-gray-600 mt-1">[高危] 异常浏览器会话 | 用户: Victim_Account | IP来源: 172.16.1.23 → 登录设备指纹突变</p>
310
+ </div>
311
+ </div>
312
+ </div>
313
+
314
+ <!-- Step 5 Alert -->
315
+ <div class="alert-item bg-green-50 border-green-500 p-4 rounded cursor-pointer" data-step="5">
316
+ <div class="flex items-start">
317
+ <div class="bg-green-500 text-white p-2 rounded-full mr-3">
318
+ <i class="fas fa-cloud text-sm"></i>
319
+ </div>
320
+ <div class="flex-1">
321
+ <div class="flex justify-between items-start">
322
+ <h3 class="font-medium text-green-800">Sensitive Data Access</h3>
323
+ <span class="bg-green-100 text-green-800 text-xs px-2 py-1 rounded">DLP (数据防泄漏)</span>
324
+ </div>
325
+ <p class="text-sm text-gray-600 mt-1">[严重] 敏感数据访问行为 | 用户: Victim_Account | 操作: 下载文档ID: YUQUE-1234</p>
326
+ </div>
327
+ </div>
328
+ </div>
329
+
330
+ <!-- Step 6 Alert -->
331
+ <div class="alert-item bg-indigo-50 border-indigo-500 p-4 rounded cursor-pointer" data-step="6">
332
+ <div class="flex items-start">
333
+ <div class="bg-indigo-500 text-white p-2 rounded-full mr-3">
334
+ <i class="fas fa-server text-sm"></i>
335
+ </div>
336
+ <div class="flex-1">
337
+ <div class="flex justify-between items-start">
338
+ <h3 class="font-medium text-indigo-800">Database Server Intrusion</h3>
339
+ <span class="bg-indigo-100 text-indigo-800 text-xs px-2 py-1 rounded">HIDS (主机入侵检测)</span>
340
+ </div>
341
+ <p class="text-sm text-gray-600 mt-1">[紧急] 非常规时间SSH登录 | 账号: dba_admin | 来源IP: 10.8.8.12 | 操作: 执行SHOW DATABASES</p>
342
+ </div>
343
+ </div>
344
+ </div>
345
+
346
+ <!-- Step 7 Alert -->
347
+ <div class="alert-item bg-pink-50 border-pink-500 p-4 rounded cursor-pointer" data-step="7">
348
+ <div class="flex items-start">
349
+ <div class="bg-pink-500 text-white p-2 rounded-full mr-3">
350
+ <i class="fas fa-file-export text-sm"></i>
351
+ </div>
352
+ <div class="flex-1">
353
+ <div class="flex justify-between items-start">
354
+ <h3 class="font-medium text-pink-800">Data Exfiltration Detected</h3>
355
+ <span class="bg-pink-100 text-pink-800 text-xs px-2 py-1 rounded">全流量威胁回溯</span>
356
+ </div>
357
+ <p class="text-sm text-gray-600 mt-1">[严重] 异常数据传输 | 协议: DNS TXT记录 | 目标域: xyz.attacker[.]com | 数据量: 142MB</p>
358
+ </div>
359
+ </div>
360
+ </div>
361
+ </div>
362
+ </div>
363
+ </div>
364
+
365
+ <script>
366
+ // Attack steps data
367
+ const attackSteps = {
368
+ 1: {
369
+ title: "钓鱼邮件投递",
370
+ behavior: "伪造'拥抱AI变革'通知邮件,内含带恶意木马的文件(伪造成files.zip文件)",
371
+ products: "邮件安全网关",
372
+ alerts: "[严重] 检测到仿冒发件人邮件 | 发件人: itsupport@fakecompany[.]com → 目标: victim@corp.com | 包含恶意附件哈希(SHA256: a1b2c3...) | 判定为Emotet钓鱼模板"
373
+ },
374
+ 2: {
375
+ title: "木马执行",
376
+ behavior: "受害者下载木马文件后触发PowerShell脚本,下载Cobalt Strike DLL并注入到合法进程",
377
+ products: "终端检测与响应(EDR)",
378
+ alerts: "[高危] 可疑进程注入行为 | 进程: C:\\Windows\\System32\\explorer.exe → 加载内存模块: a09xdf.dll | DLL签名无效且匹配已知Cobalt Strike特征码"
379
+ },
380
+ 3: {
381
+ title: "C2通道建立与横向移动",
382
+ behavior: "通过CDN域名的HTTPS心跳通信(如api.cloudfront[.]com),部署反向SSH隧道至内网跳板机",
383
+ products: "网络流量分析(NTA)",
384
+ alerts: "[紧急] 异常外联行为 | 目标IP: 54.231.1.1(归属AWS新加坡) | 协议: HTTPS | 证书指纹异常(CN=*.cloudfront[.]com但签发者匹配Let's Encrypt野生证书)"
385
+ },
386
+ 4: {
387
+ title: "凭据窃取与浏览器模拟",
388
+ behavior: "利用Mimikatz提取Chrome浏览器Cookie并伪造User-Agent(同步受害者浏览器指纹)",
389
+ products: "身份认证异常检测(UEBA)",
390
+ alerts: "[高危] 异常浏览器会话 | 用户: Victim_Account | IP来源: 172.16.1.23 → 登录设备指纹突变(新增虚拟机特征/QEMU虚拟显卡)"
391
+ },
392
+ 5: {
393
+ title: "云文档渗透",
394
+ behavior: "通过劫持的语雀API Token访问《生产环境运维手册》,提取内嵌的SSH私钥(Base64编码)",
395
+ products: "DLP(数据防泄漏)",
396
+ alerts: "[严重] 敏感数据访问行为 | 用户: Victim_Account | 操作: 下载文档ID: YUQUE-1234 | 内容匹配关键字: 'prod_ssh_private_key'"
397
+ },
398
+ 6: {
399
+ title: "生产网络入侵",
400
+ behavior: "通过跳板机使用SSH证书登陆MySQL数据库服务器(IP: 10.8.8.88,账号: dba_admin)",
401
+ products: "HIDS(主机入侵检测)",
402
+ alerts: "[紧急] 非常规时间SSH登录 | 账号: dba_admin | 来源IP: 10.8.8.12(测试环境跳板机) | 操作: 执行SHOW DATABASES"
403
+ },
404
+ 7: {
405
+ title: "数据外泄",
406
+ behavior: "将压缩加密后的客户数据(文件名: taobaodata.tar.gz.enc)通过DNS隧道传输到alibaba-bas.com",
407
+ products: "全流量威胁回溯",
408
+ alerts: "[严重] 异常数据传输 | 协议: DNS TXT记录 | 目标域: xyz.attacker[.]com | 数据量: 142MB(超阈值500%)"
409
+ }
410
+ };
411
+
412
+ // Draw curved lines between nodes with arrows
413
+ function drawCurvedLine(svg, fromSelector, toSelector, color = "red", width = 2, animate = false) {
414
+ const fromEl = document.querySelector(fromSelector);
415
+ const toEl = document.querySelector(toSelector);
416
+
417
+ if (!fromEl || !toEl) return;
418
+
419
+ const fromRect = fromEl.getBoundingClientRect();
420
+ const toRect = toEl.getBoundingClientRect();
421
+ const svgRect = svg.getBoundingClientRect();
422
+
423
+ const x1 = fromRect.left + fromRect.width/2 - svgRect.left;
424
+ const y1 = fromRect.top + fromRect.height/2 - svgRect.top;
425
+ const x2 = toRect.left + toRect.width/2 - svgRect.left;
426
+ const y2 = toRect.top + toRect.height/2 - svgRect.top;
427
+
428
+ // Calculate control points for a smooth curve
429
+ const dx = x2 - x1;
430
+ const dy = y2 - y1;
431
+ const controlX1 = x1 + dx * 0.5;
432
+ const controlY1 = y1;
433
+ const controlX2 = x1 + dx * 0.5;
434
+ const controlY2 = y2;
435
+
436
+ // Create path for the line
437
+ const path = document.createElementNS("http://www.w3.org/2000/svg", "path");
438
+ path.setAttribute("d", `M${x1},${y1} C${controlX1},${controlY1} ${controlX2},${controlY2} ${x2},${y2}`);
439
+ path.setAttribute("stroke", color);
440
+ path.setAttribute("stroke-width", width);
441
+ path.setAttribute("fill", "none");
442
+ path.setAttribute("stroke-linecap", "round");
443
+
444
+ if (animate) {
445
+ path.classList.add("data-flow");
446
+ }
447
+
448
+ svg.appendChild(path);
449
+
450
+ // Add arrow marker at the end
451
+ const marker = document.createElementNS("http://www.w3.org/2000/svg", "marker");
452
+ marker.setAttribute("id", `arrow-${color.replace('#', '')}`);
453
+ marker.setAttribute("viewBox", "0 0 10 10");
454
+ marker.setAttribute("refX", "5");
455
+ marker.setAttribute("refY", "5");
456
+ marker.setAttribute("markerWidth", "6");
457
+ marker.setAttribute("markerHeight", "6");
458
+ marker.setAttribute("orient", "auto-start-reverse");
459
+
460
+ const arrowPath = document.createElementNS("http://www.w3.org/2000/svg", "path");
461
+ arrowPath.setAttribute("d", "M 0 0 L 10 5 L 0 10 z");
462
+ arrowPath.setAttribute("fill", color);
463
+
464
+ marker.appendChild(arrowPath);
465
+ svg.appendChild(marker);
466
+
467
+ path.setAttribute("marker-end", `url(#arrow-${color.replace('#', '')})`);
468
+ }
469
+
470
+ // Show attack details in sidebar
471
+ function showAttackDetails(stepId) {
472
+ const step = attackSteps[stepId];
473
+ if (!step) return;
474
+
475
+ document.getElementById("step-title").textContent = step.title;
476
+ document.getElementById("step-behavior").innerHTML = `<p class="text-sm text-gray-600">${step.behavior}</p>`;
477
+ document.getElementById("step-products").innerHTML = `<p class="text-sm text-gray-600">${step.products}</p>`;
478
+ document.getElementById("step-alerts").innerHTML = `<p class="text-sm text-gray-600">${step.alerts}</p>`;
479
+
480
+ // Highlight the selected node
481
+ document.querySelectorAll('.attack-node').forEach(node => {
482
+ node.classList.remove('critical');
483
+ });
484
+ document.getElementById(`step${stepId}`).classList.add('critical');
485
+
486
+ // Open sidebar
487
+ document.getElementById("attack-sidebar").classList.add("open");
488
+ }
489
+
490
+ // Initialize visualization
491
+ function initVisualization() {
492
+ const svg = document.getElementById("attack-flow");
493
+ svg.innerHTML = "";
494
+
495
+ // Draw all attack paths in sequence with different colors
496
+ drawCurvedLine(svg, "#attacker", "#step1", "#3b82f6", 2); // Blue
497
+ drawCurvedLine(svg, "#step1", "#step2", "#ef4444", 2); // Red
498
+ drawCurvedLine(svg, "#step2", "#step3", "#8b5cf6", 2); // Purple
499
+ drawCurvedLine(svg, "#step3", "#step4", "#f59e0b", 2); // Yellow
500
+ drawCurvedLine(svg, "#step4", "#step5", "#10b981", 2); // Green
501
+ drawCurvedLine(svg, "#step5", "#step6", "#6366f1", 2); // Indigo
502
+ drawCurvedLine(svg, "#step6", "#step7", "#ec4899", 2); // Pink
503
+ drawCurvedLine(svg, "#step7", "#final-c2", "#ef4444", 2); // Red
504
+ drawCurvedLine(svg, "#final-c2", "#attacker", "#ef4444", 2, true); // Animated red
505
+ }
506
+
507
+ // Zoom functionality
508
+ let scale = 1;
509
+ const zoomContainer = document.getElementById("zoom-container");
510
+
511
+ document.getElementById("zoom-in").addEventListener("click", () => {
512
+ scale += 0.1;
513
+ zoomContainer.style.transform = `scale(${scale})`;
514
+ });
515
+
516
+ document.getElementById("zoom-out").addEventListener("click", () => {
517
+ if (scale > 0.5) {
518
+ scale -= 0.1;
519
+ zoomContainer.style.transform = `scale(${scale})`;
520
+ }
521
+ });
522
+
523
+ document.getElementById("zoom-reset").addEventListener("click", () => {
524
+ scale = 1;
525
+ zoomContainer.style.transform = `scale(${scale})`;
526
+ });
527
+
528
+ // Initialize
529
+ document.addEventListener("DOMContentLoaded", () => {
530
+ initVisualization();
531
+
532
+ // Add click handlers to attack nodes
533
+ for (let i = 1; i <= 7; i++) {
534
+ document.getElementById(`step${i}`).addEventListener("click", () => {
535
+ showAttackDetails(i);
536
+ });
537
+ }
538
+
539
+ // Add click handlers to timeline alerts
540
+ document.querySelectorAll('.alert-item').forEach(alert => {
541
+ alert.addEventListener('click', () => {
542
+ const stepId = alert.getAttribute('data-step');
543
+ showAttackDetails(stepId);
544
+ });
545
+ });
546
+
547
+ // Close sidebar
548
+ document.getElementById("close-sidebar").addEventListener("click", () => {
549
+ document.getElementById("attack-sidebar").classList.remove("open");
550
+ document.querySelectorAll('.attack-node').forEach(node => {
551
+ node.classList.remove('critical');
552
+ });
553
+ });
554
+
555
+ // Add hover effects to nodes
556
+ document.querySelectorAll('.attack-node').forEach(node => {
557
+ node.addEventListener('mouseenter', () => {
558
+ node.classList.add('shadow-md');
559
+ });
560
+ node.addEventListener('mouseleave', () => {
561
+ node.classList.remove('shadow-md');
562
+ });
563
+ });
564
+ });
565
+ </script>
566
+ <p style="border-radius: 8px; text-align: center; font-size: 12px; color: #fff; margin-top: 16px;position: fixed; left: 8px; bottom: 8px; z-index: 10; background: rgba(0, 0, 0, 0.8); padding: 4px 8px;">Made with <img src="https://enzostvs-deepsite.hf.space/logo.svg" alt="DeepSite Logo" style="width: 16px; height: 16px; vertical-align: middle;display:inline-block;margin-right:3px;filter:brightness(0) invert(1);"><a href="https://enzostvs-deepsite.hf.space" style="color: #fff;text-decoration: underline;" target="_blank" >DeepSite</a> - 🧬 <a href="https://enzostvs-deepsite.hf.space?remix=capta1n/bas2" style="color: #fff;text-decoration: underline;" target="_blank" >Remix</a></p></body>
567
+ </html>
prompts.txt ADDED
@@ -0,0 +1,5 @@
 
 
 
 
 
 
1
+ 将图表中的攻击步骤内容换成以下攻击步骤内容,不要采用分布的形式展示攻击步骤,在一个图表中完整展示攻击步骤,图表支持放大缩小,图表中的连线采用曲线连线,不要和节点有冲突。以攻击者为起点,每个节点为一个攻击行为,每个攻击节点点开后侧边弹窗展示具体的攻击行为内容,下方展示每个步骤触发的防护产品名称和告警信息内容。 步骤1:钓鱼邮件投递 ● 攻击行为:伪造"拥抱AI变革"通知邮件,内含带恶意木马的文件(伪造成files.zip文件) ● 触发防护:邮件安全网关 ● 告警信息:[严重] 检测到仿冒发件人邮件 | 发件人: itsupport@fakecompany[.]com → 目标: victim@corp.com | 包含恶意附件哈希(SHA256: a1b2c3...) | 判定为Emotet钓鱼模板 步骤2:木马执行 ● 攻击行为:受害者下载木马文件后触发PowerShell脚本,下载Cobalt Strike DLL并注入到合法进程 ● 触发防护:终端检测与响应(EDR) ● 告警信息:[高危] 可疑进程注入行为 | 进程: C:\Windows\System32\explorer.exe → 加载内存模块: a09xdf.dll | DLL签名无效且匹配已知Cobalt Strike特征码 步骤3:C2通道建立与横向移动 ● 攻击行为:通过CDN域名的HTTPS心跳通信(如api.cloudfront[.]com),部署反向SSH隧道至内网跳板机 ● 触发防护:网络流量分析(NTA) ● 告警信息:[紧急] 异常外联行为 | 目标IP: 54.231.1.1(归属AWS新加坡) | 协议: HTTPS | 证书指纹异常(CN=*.cloudfront[.]com但签发者匹配Let's Encrypt野生证书) 步骤4:凭据窃取与浏览器模拟 ● 攻击行为:利用Mimikatz提取Chrome浏览器Cookie并伪造User-Agent(同步受害者浏览器指纹) ● 触发防护:身份认证异常检测(UEBA) ● 告警信息:[高危] 异常浏览器会话 | 用户: Victim_Account | IP来源: 172.16.1.23 → 登录设备指纹突变(新增虚拟机特征/QEMU虚拟显卡) 步骤5:云文档渗透 ● 攻击行为:通过劫持的语雀API Token访问《生产环境运维手册》,提取内嵌的SSH私钥(Base64编码) ● 触发防护:DLP(数据防泄漏) ● 告警信息:[严重] 敏感数据访问行为 | 用户: Victim_Account | 操作: 下载文档ID: YUQUE-1234 | 内容匹配关键字: "prod_ssh_private_key" 步骤6:生产网络入侵 ● 攻击行为:通过跳板机使用SSH证书登陆MySQL数据库服务器(IP: 10.8.8.88,账号: dba_admin) ● 触发防护:HIDS(主机入侵检测) ● 告警信息:[紧急] 非常规时间SSH登录 | 账号: dba_admin | 来源IP: 10.8.8.12(测试环境跳板机) | 操作: 执行SHOW DATABASES 步骤7:数据外泄 ● 攻击行为:将压缩加密后的客户数据(文件名: taobaodata.tar.gz.enc)通过DNS隧道传输到alibaba-bas.com ● 触发防护:全流量威胁回溯 ● 告警信息:[严重] 异常数据传输 | 协议: DNS TXT记录 | 目标域: xyz.attacker[.]com | 数据量: 142MB(超阈值500%)
2
+ 按顺序展示攻击步骤优化图表中的布局,不要都集中在一起
3
+ 将以下攻击步骤转化为图表的形式进行展示,在一个图表中完整按顺序展示攻击步骤,图表支持放大缩小,图表中的连线和连线不要重叠。以攻击者为起点,每个节点为一个攻击行为,每个攻击节点之间按顺序用剪头进行连接,每个攻击节点点开后侧边弹窗展示具体的攻击行为内容,图表下方展示每个步骤触发的防护产品名称和告警信息内容。步骤1:钓鱼邮件投递 ● 攻击行为:伪造"拥抱AI变革"通知邮件,内含带恶意木马的文件(伪造成files.zip文件) ● 触发防护:邮件安全网关 ● 告警信息:[严重] 检测到仿冒发件人邮件 | 发件人: itsupport@fakecompany[.]com → 目标: victim@corp.com | 包含恶意附件哈希(SHA256: a1b2c3...) | 判定为Emotet钓鱼模板 步骤2:木马执行 ● 攻击行为:受害者下载木马文件后触发PowerShell脚本,下载Cobalt Strike DLL并注入到合法进程 ● 触发防护:终端检测与响应(EDR) ● 告警信息:[高危] 可疑进程注入行为 | 进程: C:\Windows\System32\explorer.exe → 加载内存模块: a09xdf.dll | DLL签名无效且匹配已知Cobalt Strike特征码 步骤3:C2通道建立与横向移动 ● 攻击行为:通过CDN域名的HTTPS心跳通信(如api.cloudfront[.]com),部署反向SSH隧道至内网跳板机 ● 触发防护:网络流量分析(NTA) ● 告警信息:[紧急] 异常外联行为 | 目标IP: 54.231.1.1(归属AWS新加坡) | 协议: HTTPS | 证书指纹异常(CN=*.cloudfront[.]com但签发者匹配Let's Encrypt野生证书) 步骤4:凭据窃取与浏览器模拟 ● 攻击行为:利用Mimikatz提取Chrome浏览器Cookie并伪造User-Agent(同步受害者浏览器指纹) ● 触发防护:身份认证异常检测(UEBA) ● 告警信息:[高危] 异常浏览器会话 | 用户: Victim_Account | IP来源: 172.16.1.23 → 登录设备指纹突变(新增虚拟机特征/QEMU虚拟显卡) 步骤5:云文档渗透 ● 攻击行为:通过劫持的语雀API Token访问《生产环境运维手册》,提取内嵌的SSH私钥(Base64编码) ● 触发防护:DLP(数据防泄漏) ● 告警信息:[严重] 敏感数据访问行为 | 用户: Victim_Account | 操作: 下载文档ID: YUQUE-1234 | 内容匹配关键字: "prod_ssh_private_key" 步骤6:生产网络入侵 ● 攻击行为:通过跳板机使用SSH证书登陆MySQL数据库服务器(IP: 10.8.8.88,账号: dba_admin) ● 触发防护:HIDS(主机入侵检测) ● 告警信息:[紧急] 非常规时间SSH登录 | 账号: dba_admin | 来源IP: 10.8.8.12(测试环境跳板机) | 操作: 执行SHOW DATABASES 步骤7:数据外泄 ● 攻击行为:将压缩加密后的客户数据(文件名: taobaodata.tar.gz.enc)通过DNS隧道传输到alibaba-bas.com ● 触发防护:全流量威胁回溯 ● 告警信息:[严重] 异常数据传输 | 协议: DNS TXT记录 | 目标域: xyz.attacker[.]com | 数据量: 142MB(超阈值500%)
4
+ 1、调整图表中的节点大小,确保图表可以完整展示全部的攻击节点 2、每个攻击节点之间按顺序用剪头进行连接
5
+ 1. 缩小每个节点的大小确保图表可以完整清晰的展示全部攻击节点和节点之间的执行顺序